CVE-2026-44754 PUBLISHED

Missing caller identification check-in for ODP Data Replication APIs

Assigner: sap
Reserved: 07.05.2026 Published: 09.06.2026 Updated: 09.06.2026

The Remote Function Call (RFC) modules of the Operational Data Provisioning Data Replication API (ODP-RFC) are missing caller identification of permitted SAP-internal applications and are being used by customer or third-party applications in ways that are not aligned with its intended usage. Which could lead to unintended disclosure of data, but does not affect integrity, and poses minimal availability concerns for the application.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:L
CVSS Score: 6.6

Attack Vector	Network	Scope	Changed
Attack Complexity	High	Confidentiality Impact	High
Privileges Required	High	Integrity Impact	None
User Interaction	None	Availability Impact	Low

CVSS 3.1

Product Status

Vendor	SAP_SE
Product	ODP Data Replication APIs
Versions	Default: unaffected Version DW4CORE 200 is affected Version 300 is affected Version 400 is affected Version PI_BASIS 2006_1_700 is affected Version 701 is affected Version 702 is affected Version 731 is affected Version 740 is affected Version SAP_BW 750 is affected Version 816 is affected

CVE-2026-44754 PUBLISHED

Missing caller identification check-in for ODP Data Replication APIs

Metrics

Product Status

References

Problem Types